I managed to add a bridge to my Xen VPS, but apparently OpenVZ does not support bridges.

However I just can't get it to work. Every tutorial I tried so far tells me to change my /etc/network/interfaces file but that makes my VPS unresponsive and forces me to reboot it through SolusVM (and thus not saving my changes).
I found a different, more promising tutorial here:
https://www.linux.com/learn/tutorials/305765-how-to-bridge-networks-with-openvpn
Which tells me to do these steps:
openvpn --mktun --dev tap0 to create the tap0 interface --> No problem
then run brctl addbr br0 to create the bridge --> OK as well
and brctl addif br0 eth0 --> VPS unresponsive, need to reboot in SolusVM.

Do you really want your VPS's public IP bridged? I doubt this will work without provider fiddling, as your bridge and clients will have a different MAC than your VPS which they are unlikely to allow on their network. Its the equivalent of walking into your providers DC, and plugging your laptop into their core switch.

@rchurch said: Isn't KVM/VMWare/Xen HVM the place for those kind of tricks?

I've a feeling bridging will not work on OpenVZ or XenPV, unless something fanciful can be done on the host node. They are not proper hardware emulators.

Is the Xen in question a PV or HVM?

Thanks, I did not know that! The Xen in question is PV so that could explain why it's not working!

@tehdan said: Do you really want your VPS's public IP bridged? I doubt this will work without provider fiddling, as your bridge and clients will have a different MAC than your VPS which they are unlikely to allow on their network. Its the equivalent of walking into your providers DC, and plugging your laptop into their core switch.

What are you trying to achieve? Is this for your PS3 stuff?

Well no, I don't want my VPS's public IP bridged, I just want to achieve that my clients can connect to my VPS and that the VPS acts like a bridge between the clients.

This is indeed still for my PS3 stuff :) ! It's the missing link to get it all working. Got a 6TB MicroServer but thé feature I bought it for, is not working yet because of this.

So you're putting a VPS in the middle of all this? It would be more efficient to have a direct connection between the file server and local router - you'll be pushing a lot of traffic, so less hops are desirable. I guess you might need the VPS if you can't open a port at either end of things... Its worth a try.

I think the first thing is to get your VPS, file server and the router your PS3 connects through all on a bridged OpenVPN and check they can ping each other. The only place you need a bridge interface is the router which has a PS3 plugged into it - you use bridges to connect networks (one real, one virtual in this case...), the file server and VPS can just do everything on their tap0 interfaces.

You need to pick a subnet that is not in use for any network with a device thats connecting to your VPN - for this reason its usually safest to pick a 10.X.Y.0/24 where X and Y are picked at random.

So use the server config from your first tutorial you link to on the server, comment out the up/down lines and don't bother with the scripts these lines run on the server. Give it a static IP, probably 10.X.Y.1. Once this is running, make sure you have a tap0 with that IP. I'd also comment out duplicate-cn, assuming you're making separate certs for each client and comp-lzo - your media will already be compressed and trying to compress it in any event will create more of a CPU bottle neck.

Next, use their client config on your file server - get it connected, you should get a 10.X.Y.0/24 address - make sure you can ping 10.X.Y.1 from the file server, and ping whatever IP your file server has from the VPN.

Repeat the client setup on your router that your PS3 is plugged into - make sure everything can ping everything - you won't reach the PS3 at this point, but the fileserver/vps/router should all be able to talk. If you can get that going, bridging in a physical ether on your router should be reasonably straightforward - but its good to attack these things in stages :)

@tehdan Once again thanks for the (very detailed!!) reply. Really appreciate it!!

Well, I am now starting to hesitate if putting a VPS in the middle is the best option to accomplish my goal. Here's the situation, maybe you can give me an advise what you deem to be the best option:
I have a NAS/MicroServer running Windows 7 which will be placed at my friend's house, since he has a 100Mbit uplink.
The NAS/MicroServer will run SickBeard/CouchPatato/SABNZBD and store my iTunes Database, in other words it will automatically download all my favorite series and movies and also store my iTunes database. I want to be able to access my series/movies and iTunes database from anywhere, but not just I want to, some friends of me as well.
It will also run PS3 Media Server and here's where it gets tricky: PS3 Media Server only works if it detect the PS3 on the LAN network because of a DLNA like protocol/service it uses. My PS3 obviously isn't located at my friend's house, so I need some sort of bridge/VPN to accomplish this. The PS3 itself doesn't support bridges or VPN, so a router in front of it with DD-WRT should do the trick.

Therefore I was thinking of using OpenVPN as a bridge. But I am now unsure if I should put a VPS In between. I understand less hops between my NAS/MicroServer and PS3 are desirable, because I indeed will push a lot of traffic....

I am looking forward to your opinio regarding the situation above and what you think is the best option to try.

Okay, great - here's what I'd try. I assume your friend has already forwarded a port so you can SSH to your file server? Also get him to forward port 1194 UDP (or frankly, any other UDP port). That way you can make your file server also be the OpenVPN server.

Set up your file server with the configs like I suggested - use the config from the tutorial, but comment out the up, down, duplicate-cn and comp-lzo lines and replace the IPs with ones that make sense for your setup.

Then try setting up a client - I guess you want to get to all this from your laptop too anyhow, and t - it will be less problematic and easier to debug than the DD-WRT router. The tutorial configs should work here with minimal adjustment - server names and IPs Make sure the client can ping the server, it should also see any services you have running on the file server.

Once you've done that, see if you can configure your DD-WRT device - you should be able to get into the same position where you can ping the server on its tap0 address from your router.

Once you've done this, its just a case of bridging the tap0 on your DD-WRT router with the ethernet port the PS3 is connected too... try to get this far first because its going to be a lot easier to debug laptop - vpn - server than ps3 - dd-wrt - vpn - server

@tehdan The NAS/MicroServer isn't yet at his house. It's scheduled for installation this Wednesday or next week Monday/Tuesday/Wednesday. We both are pretty busy with work/study so it's hard to find a date it suits us both when I deliver/setup/install the NAS/Microserver at his house.

We'll setup a DMZ so the port forwarding part should be OK.
Also, SSH into my server? You mean for file transfers or to execute commands, since it's running Windows... I have FileZilla FTP Server setup aswel as TeamViewer but I was also planning to add my drives to My Computer as a mapped network drive.

If I understand you correctly, a VPS in the middle is the way to go? But I do need a KVM/VMWare/Xen HVM VPS for this, right?

Yes, I want to access it from my laptop/desktop too.

I will setup laptop-vpn-server first :)

Yup, he has unlimited bandwidth. I'll pay for the power, roughly 8 euros a month, and he gets to use 1TB of space for free plus my usenet account, in trade for the housing/internet usage.

No, I wouldn't put a VPS in the middle , although I'm assuming you can run OpenVPN as a server on Windows with minimal fuss.

Just configure your windows machine as an OpenVPN server and make sure you can reach it from the outside world when you install it. Once you can get your laptop connected from a remote site and see the network, you're half way there.

Okay, then I misunderstood you.
So basically it's just a normal OpenVPN setup like you would normally do right, but instead use the tap0 interface rather then the tun and comment out a few things, right?

I might sound like a total retard now, but there are still some things that I do not fully understand:

But basically, tap interfaces can be put in a bridge - which is what you need to do to get the PS3 on the virtual network. tap networks also transport broadcast traffic, which you'll need for iTunes and probably other services that use mDNS for discovery.

Is it true that I need to create a new virtual network adapter for every client that wants to connect?

You need 1 interface for each VPN - your file server will probably have one, and multiple clients can talk to it.This was not true of older versions of OpenVPN and its not true with static keys, so any info to the contrary you've found is probably either old or relates to static-key configs. (I've assumed from the tutorials you've linked too that you've set up a CA and generate a key+certificate for each client?)

And if I am using OpenVPN already to browse the web, I cannot use it together with this OpenVPN bridge right?

No, this is possible - your computers can be on multiple VPNs, this does require one tap/tun interface per vpn/network. It would be fine on your laptop to have a tun vpn as your default route via a VPS and a tun vpn to your file server - but you must make sure you use separate IP ranges on both vpns, and make sure only one of them creates a default route. It may require a little fiddling with routes for optimum performance.